Critical RCE (CVE‑2025‑53521) in F5 BIG‑IP APM Actively Exploited Across 14K Exposed Instances
What It Is — A critical remote‑code‑execution (RCE) flaw (CVE‑2025‑53521) in F5 BIG‑IP Access Policy Manager (APM) allows specially‑crafted traffic to execute arbitrary code when an access policy is enabled on a virtual server. The vulnerability carries a CVSS v3.1 score of 9.8.
Exploitability — Active exploitation is confirmed in the wild; Shadowserver reports ongoing attacks and has logged >14 000 exposed APM instances. Proof‑of‑concept traffic is publicly documented.
Affected Products — F5 BIG‑IP APM (all versions that support an access policy and are not end‑of‑technical‑support). Over 14 000 instances globally remain reachable on the Internet, primarily in the US, Europe, and Asia.
TPRM Impact — Organizations that rely on F5 BIG‑IP for load balancing, reverse‑proxy, or secure remote access inherit a direct attack surface. Compromise can lead to lateral movement, credential theft, or service disruption, affecting downstream SaaS providers, MSPs, and any business that integrates with the compromised appliance.
Recommended Actions
- Verify product version; upgrade to the latest patched release that addresses CVE‑2025‑53521.
- If APM access policies are not required, disable the feature to eliminate the attack vector.
- Conduct external scans for exposed BIG‑IP APM fingerprints (e.g., using Shodan or Shadowserver feeds).
- Apply CISA’s KEV remediation deadline (March 30 2026) and document compliance for audit trails.
- Monitor network traffic for anomalous requests to BIG‑IP virtual servers and implement IDS/IPS signatures for the known exploit patterns.
Source: SecurityAffairs